Helm Chart multiple issues
steveww opened this issue · 8 comments
The current Helm Chart has a number of problems.
- using latest image tag
- mounting over /tmp
- Does not include dependency of cert-manager
- Namespace manifest in templates
I've written my own Helm Chart based off the one in this repo.
Check it out http://fastfolfe.co.uk/charts/policy-agent-0.1.0.tgz
The following are already solved:
- using latest image tag
- Namespace manifest in templates
Cert manager is added as a dependency but it is not working as expected, need some follow up
Regarding the cert manager issue, the only way that i found to solve it is helm hooks which is not the cleanest way and may cause conflicts between dependencies. Couldn't find a clean way to install cert-manager before installing the agent. @alichaddad @serboctor
I am not sure why we need to do all of this. policy-agent chart handles cert manager scenario for convenience I don't think it should be integrated even more into the agent. There is an alternative to using cert manager in the agent even if it is more troublesome and we might introduce another thing in the future, point is it isn't necessarily an integral part of the agent.
Is there a specific use case that requires this? WGE already handles the dependency using the layer system and that makes it easy to install both cert manager and the agent on leaf clusters. Is there another scenario that I am overlooking?
@steveww From product prespective, we are currently optimizing for the usage through WGE. Also from technical perspective, as ali mentioned, it might not be a good idea to have the agent responsible for installing cert manager or managing the dependency on cert manager specially when the user can use another way of getting the certificate needed for the agent to work.
I would love also for @enekofb to provide his feedback on which is the right path for this.
Does not include dependency of cert-manager
@steveww what are your expectations here regarding cert-manager
I would not assume that there is install / upgrade dependency between these two capabilities:
- policy agent manages policies
- cert manager manages certificates
to do an expectation in terms of the lifecycle between is too tightly coupled
I think this looks good 8584518
@nohasaayed
it fails when persistence.enabled equals false
logs
{"level":"info","timestamp":"2022-08-25T16:45:40.569Z","caller":"policy-agent/main.go:101","message":"initializing Policy Agent","accountID":"ww","clusterID":"ahmed-cluster","build":"200.fdbb833"}
{"level":"info","timestamp":"2022-08-25T16:45:40.569Z","caller":"policy-agent/main.go:102","message":"config: {KubeConfigFile: AccountID:ww ClusterID:ahmed-cluster LogLevel:info ProbesListen::9000 MetricsAddress::8080 Admission:{Enabled:true Webhook:{Listen:8443 CertDir:/certs} Sinks:{FilesystemSink:0xc0002ee1a0 FluxNotificationSink:<nil> K8sEventsSink:0xc00057b9b8 SaasGatewaySink:<nil> ElasticSink:<nil>} PolicySet:} Audit:{WriteCompliance:false Enabled:false Sinks:{FilesystemSink:<nil> FluxNotificationSink:<nil> K8sEventsSink:<nil> SaasGatewaySink:<nil> ElasticSink:<nil>} PolicySet:}}","accountID":"ww","clusterID":"ahmed-cluster"}
{"level":"info","timestamp":"2022-08-25T16:45:40.588Z","caller":"policy-agent/main.go:212","message":"initializing filesystem admission sink ...","accountID":"ww","clusterID":"ahmed-cluster","file":"/var/log/result.json"}
{"level":"fatal","timestamp":"2022-08-25T16:45:40.588Z","caller":"policy-agent/main.go:353","message":"failed to initialize filesystem sink: failed to open file /var/log/result.json to write validation results: open /var/log/result.json: permission denied","accountID":"ww","clusterID":"ahmed-cluster","stacktrace":"main.main\n\t/home/weaveworks/policy-agent/main.go:353\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:255"}
i think the user the agent is running on doesn't have permission to access /var/log